How Elkjøp gained control of their access risks in a few days

The challenge: Lack of control over roles and access

Elkjøp is running these SAP systems: ECC, TM, EWM, F&R, CAR, EM and SLT. They encountered difficulties in managing large projects with tight deadlines, including the extensive use of external consultants who required additional authorizations using broad-access transaction codes.

The use of consultants made it challenging for Elkjøp to gain a clear understanding of the full scope of the project, and resulted in loss of control over role additions. Challenges included:

• unclear role ownership
• a lack of active role assessment
• neglect of Segregation of Duties (SoD) and the Principle of Least Privilege
• organizational changes not being considered.

Another challenge they faced was a one-size-fits-all approach to roles, rather than creating roles tailored to specific needs, leading to inefficiencies and potential security risks.

Elkjøp concluded that they needed greater control over their systems, and support with setting up and managing these controls.

An effective GRC solution for SAP authorisations

Elkjøp chose the solution from EPI-USE Labs’ partner Soterion, as it offered industry best practices for SAP roles and authorisations.

Soterion's compliance software solves GRC (Governance, Risk management and Compliance) for SAP clients. The GRC tool was an excellent starting point for risk identification and management, enabling the team to obtain analytical and statistical views of their access risks, including SoD categorisation, critical transactions and privacy risks. They could also identify superfluous functions and transactions, which facilitated identifying remediation opportunities.

Soterion's big data mining and drill-down utilities made it possible to perform an in-depth analysis, while its standard reporting functionality included online reporting with live drill-down capabilities on current data. This enabled Elkjøp to have a comprehensive and effective approach to managing access risks and maintaining control over authorisation processes.

Shift in risk approach with Soterion

The implementation of the solution initiated a risk remediation project that raised awareness in the company, and started moving the responsibility back to the business, rather than the IT team. Also, the company did an extensive clean-up process to address the Principle of Least Privilege.

Soterion is now configured to run a monthly deactivation process for inactive users, and all users and authorisations are centrally provisioned.

Benefits

• Implementation completed in a few days
• Imminent reduction of superfluous functions by 61%
• Reduced the number of inactive users by 91%
• Improved auditor trust
• Decrease in roles with unused transactions

About Elkjøp Nordic

Elkjøp Nordic was founded in Norway in 1962. Since then, they have grown to become the market leader in consumer electronics and kitchen appliances retail in the Nordic countries. The group consists of around 11,000 employees, and more than 400 stores in Norway, Sweden, Denmark and Finland, Greenland, Iceland and the Faroe Islands.

Elkjøp Nordic has been being part of Curry’s UK (Dixons Carphone plc) since 1999.